CVE-2025-52794

| EUVD-2025-28469 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28469
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form allows Stored XSS. This issue affects Creative Contact Form: from n/a through 1.0.0.

Analysis

CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.

Technical Context

This vulnerability combines two distinct attack classes: CSRF (CWE-352) as the primary vector and Stored XSS as the impact. The Creative Contact Form plugin lacks CSRF token validation (anti-CSRF mechanisms) on form submission endpoints, allowing attackers to craft state-changing requests without user authorization. The absence of output encoding or input sanitization permits injected JavaScript to persist in the application's database or session handling, executing in the context of subsequent users' browsers. This affects the Creative-Solutions product line, specifically the Creative Contact Form component versions 1.0.0 and earlier. The vulnerability likely resides in the form processing handler that accepts user input without adequate CSRF protection (missing SameSite cookie attributes, CSRF tokens, or origin validation) and fails to sanitize output when rendering stored contact form data.

Affected Products

Product: Creative Contact Form (Creative-Solutions) | Affected Versions: 1.0.0 and all earlier versions | Vendor: Creative-Solutions | Component: Contact form processing and rendering modules | CPE Identifier (estimated): cpe:2.3:a:creative-solutions:creative_contact_form:*:*:*:*:*:*:*:* (versions <= 1.0.0) | Deployment: Typically used as a WordPress plugin or standalone form component in web applications. No patch version has been publicly released; version 1.0.1 or later (if available) should be verified against vendor advisories.

Remediation

Immediate actions: (1) Disable or remove Creative Contact Form plugin if not actively required; (2) Restrict access to contact form pages via WAF rules or IP allowlisting if feasible; (3) Implement Content Security Policy (CSP) headers to mitigate Stored XSS execution. Patch actions: (1) Monitor Creative-Solutions official advisory/changelog for patched versions > 1.0.0; (2) Apply vendor patch immediately upon release; (3) If no patch is available, implement manual code hardening: add CSRF token validation using industry-standard libraries (e.g., OWASP CSRF Guard), sanitize all form output with HTML entity encoding or a whitelist-based HTML filter (e.g., HTML Purifier). Workarounds: (1) Implement server-side input validation and output encoding; (2) Apply CSP headers with script-src 'self' to block inline/external script injection; (3) Use HTTPOnly and Secure flags on session cookies, combined with SameSite=Strict attribute to limit CSRF impact. Monitoring: Enable logging and alerting on form submission patterns and stored XSS signatures in form data fields.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-52794 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy